[svn-buildpackage] Tagging exim4 4.69-9+lenny34.69-9+lenny3

svn path=/exim/tags/4.69-9+lenny3/; revision=2565

4 files changed, 158 insertions, 5 deletions

diff --git a/debian/changelog b/debian/changelog
index 994b064..27ddbad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,16 @@
-exim4 (4.69-9+lenny3) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler@debian.org>  Thu, 06 Jan 2011 13:25:18 +0100
+exim4 (4.69-9+lenny3) stable-security; urgency=low
+
+  * 80_4.74_CVE-2011-0017.dpatch (Pulled from upstream git): Check return
+    values of setgid/setuid. This is a privilege escalation vulnerability
+    whereby the Exim run-time user can cause root to append content of the
+    attacker's choosing to arbitrary files.
+  * 80_4.74_deliverylogging.dpatch (Pulled from upstream git): If a non-debug
+    daemon was invoked with a non-whitelisted macro, then logs from after
+    attempting delivery would be silently lost, including for successful
+    delivery.  This log-loss bug was introduced as part of the security
+    lockdown for fixing CVE-2010-4345. Closes: #610611
+
+ -- Andreas Metzler <ametzler@debian.org>  Mon, 24 Jan 2011 19:31:06 +0100
 
 exim4 (4.69-9+lenny2) stable-security; urgency=high
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 8441a55..879f2cb 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -21,5 +21,7 @@
 80_4.73rc1_6_nonroot_system_filter_user.dpatch
 80_4.73rc1_7_filter_D_option.dpatch
 80_4.73rc1_8_updatedocumentation.dpatch
+80_4.74_CVE-2011-0017.dpatch
+80_4.74_deliverylogging.dpatch
 81_pool_reset_issue.dpatch
 82_string_format_overflow.dpatch
diff --git a/debian/patches/80_4.74_CVE-2011-0017.dpatch b/debian/patches/80_4.74_CVE-2011-0017.dpatch
new file mode 100755
index 0000000..b618547
--- /dev/null
+++ b/debian/patches/80_4.74_CVE-2011-0017.dpatch
@@ -0,0 +1,112 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 80_4.74_CVE-2011-0017.dpatch by Phil Pennock <pdp@exim.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Check return values of setgid/setuid.
+## DP:
+## DP: CVE-2011-0017
+## DP: One assertion of the unimportance of checking the return value was
+## DP: wrong in the event of a compromised exim run-time user.
+## DP: 1670ef10063d7708eb736a482d1ad25b9c59521d
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c
+--- exim-4.69~/build-tree/src/exim.c	2011-01-24 19:12:39.000000000 +0100
++++ exim-4.69/build-tree/src/exim.c	2011-01-24 19:14:35.000000000 +0100
+@@ -1412,7 +1412,7 @@
+ int  filter_sfd = -1;
+ int  filter_ufd = -1;
+ int  group_count;
+-int  i;
++int  i, rv;
+ int  list_queue_option = 0;
+ int  msg_action = 0;
+ int  msg_action_arg = -1;
+@@ -1744,8 +1744,20 @@
+ 
+ if (real_uid == root_uid)
+   {
+-  setgid(real_gid);
+-  setuid(real_uid);
++  rv = setgid(real_gid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
++        (long int)real_gid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
++  rv = setuid(real_uid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
++        (long int)real_uid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
+   }
+ 
+ /* If neither the original real uid nor the original euid was root, Exim is
+@@ -3945,7 +3957,28 @@
+ 
+ /* When we are retaining a privileged uid, we still change to the exim gid. */
+ 
+-else setgid(exim_gid);
++else
++  {
++  int rv;
++  rv = setgid(exim_gid);
++  /* Impact of failure is that some stuff might end up with an incorrect group.
++  We track this for failures from root, since any attempt to change privilege
++  by root should succeed and failures should be examined.  For non-root,
++  there's no security risk.  For me, it's { exim -bV } on a just-built binary,
++  no need to complain then. */
++  if (rv == -1)
++    {
++    if (!unprivileged)
++      {
++      fprintf(stderr,
++          "exim: changing group failed: %s\n", strerror(errno));
++      exit(EXIT_FAILURE);
++      }
++    else
++      debug_printf("changing group to %ld failed: %s\n",
++          (long int)exim_gid, strerror(errno));
++    }
++  }
+ 
+ /* Handle a request to list the delivery queue */
+ 
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/log.c exim-4.69/build-tree/src/log.c
+--- exim-4.69~/build-tree/src/log.c	2007-08-22 12:10:23.000000000 +0200
++++ exim-4.69/build-tree/src/log.c	2011-01-24 19:14:35.000000000 +0100
+@@ -343,17 +343,26 @@
+ 
+ else if (euid == root_uid)
+   {
+-  int status;
++  int status, rv;
+   pid_t pid = fork();
+ 
+   /* In the subprocess, change uid/gid and do the creation. Return 0 from the
+-  subprocess on success. There doesn't seem much point in testing for setgid
+-  and setuid errors. */
++  subprocess on success. If we don't check for setuid failures, then the file
++  can be created as root, so vulnerabilities which cause setuid to fail mean
++  that the Exim user can use symlinks to cause a file to be opened/created as
++  root.  We always open for append, so can't nuke existing content but it would
++  still be Rather Bad. */
+ 
+   if (pid == 0)
+     {
+-    (void)setgid(exim_gid);
+-    (void)setuid(exim_uid);
++    rv = setgid(exim_gid);
++    if (rv)
++      die(US"exim: setgid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
++    rv = setuid(exim_uid);
++    if (rv)
++      die(US"exim: setuid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
+     _exit((create_log(buffer) < 0)? 1 : 0);
+     }
+ 
diff --git a/debian/patches/80_4.74_deliverylogging.dpatch b/debian/patches/80_4.74_deliverylogging.dpatch
new file mode 100755
index 0000000..e9e9794
--- /dev/null
+++ b/debian/patches/80_4.74_deliverylogging.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 80_4.74_deliverylogging.dpatch by  Phil Pennock <pdp@exim.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Bug 1071: fix delivery logging with untrusted macros.
+## DP: 
+## DP: If dropping privileges for untrusted macros, we disabled normal logging
+## DP: on the basis that it would fail; for the Exim run-time user, this is not
+## DP: the case, and it resulted in successful deliveries going unlogged.
+## DP: b7487bcec431809cb7fc3c2b42fcd607e43d37e7
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c
+--- exim-4.69~/build-tree/src/exim.c	2011-01-24 19:21:00.000000000 +0100
++++ exim-4.69/build-tree/src/exim.c	2011-01-24 19:21:50.000000000 +0100
+@@ -3418,9 +3418,13 @@
+   and should be used for any logging information because attempts to write
+   to the log will usually fail. To arrange this, we unset really_exim. However,
+   if no stderr is available there is no point - we might as well have a go
+-  at the log (if it fails, syslog will be written). */
++  at the log (if it fails, syslog will be written).
+ 
+-  if (log_stderr != NULL) really_exim = FALSE;
++  Note that if the invoker is Exim, the logs remain available. Messing with
++  this causes unlogged successful deliveries.  */
++
++  if ((log_stderr != NULL) && (real_uid != exim_uid))
++    really_exim = FALSE;
+   }
+ 
+ /* Privilege is to be retained for the moment. It may be dropped later,